Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 18:00
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
2e3c730553c130f030cec92a781f2633
-
SHA1
ae8a5a63a1a711b38d7dcfe3e91415fb42e058c4
-
SHA256
f388ffe206b5de775298020541f201a9b055c3aad74cac27c33d392408cf12a0
-
SHA512
c0784215cd1067051b47fe3f86e6059a410607a1cc9623377b887564220bf9046ec182705534521d9a30b6fc00e2e480a0e2a77457c7ec5098db01bf5e0d8327
-
SSDEEP
49152:Cv6Y52fyaSZOrPWluWBuGG5g5hJZRJ69bR3LoGdW4THHB72eh2NT:CvP52fyaSZOrPWluWBDG5g5hJZRJ6P
Malware Config
Extracted
quasar
1.4.1
Office04
999:999
5a13e01b-5094-4ae8-9e4e-7b96132114ba
-
encryption_key
C98F5FD72C77D3C38A5C7ECBED91435EDD8177FE
-
install_name
Client.exe
-
log_directory
key
-
reconnect_delay
3000
-
startup_key
cloud
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/1804-1-0x0000000000D70000-0x0000000001094000-memory.dmp family_quasar behavioral1/files/0x0031000000016de8-5.dat family_quasar behavioral1/memory/2732-8-0x0000000000050000-0x0000000000374000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2732 Client.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir Client.exe File created C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client-built.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2816 schtasks.exe 2096 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1804 Client-built.exe Token: SeDebugPrivilege 2732 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2732 Client.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2816 1804 Client-built.exe 31 PID 1804 wrote to memory of 2816 1804 Client-built.exe 31 PID 1804 wrote to memory of 2816 1804 Client-built.exe 31 PID 1804 wrote to memory of 2732 1804 Client-built.exe 33 PID 1804 wrote to memory of 2732 1804 Client-built.exe 33 PID 1804 wrote to memory of 2732 1804 Client-built.exe 33 PID 2732 wrote to memory of 2096 2732 Client.exe 34 PID 2732 wrote to memory of 2096 2732 Client.exe 34 PID 2732 wrote to memory of 2096 2732 Client.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "cloud" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2096
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD52e3c730553c130f030cec92a781f2633
SHA1ae8a5a63a1a711b38d7dcfe3e91415fb42e058c4
SHA256f388ffe206b5de775298020541f201a9b055c3aad74cac27c33d392408cf12a0
SHA512c0784215cd1067051b47fe3f86e6059a410607a1cc9623377b887564220bf9046ec182705534521d9a30b6fc00e2e480a0e2a77457c7ec5098db01bf5e0d8327